npppd l2tp/ipsec - openbsd client

Tue, 19 Nov 2013 19:44:07 -0800 

Hello list!
If anyone could shed some light to the following i would be thankful..
i have 2 5.4-current boxes, one acting as an npppd server over ipsec
and the other one wishing to be a client.
My understanding is that to accomplish that the client needs
to use xl2tpd from ports.
The problem is that although linux and windows clients connect
ok with the same setup, i can't get the openbsd client to connect.

server /etc/ipsec.conf:
local_ip="A.B.C.D"
ike passive esp transport proto udp from $local_ip to any port 1701 \
         main auth "hmac-sha" enc "aes" group modp2048 \
         quick auth "hmac-sha" enc "aes" \
         psk "xxxxxxxxx"

obsd client /etc/ipsec.conf:
remote_ip="A.B.C.D"
local_ip="E.F.G.H"
ike passive esp transport proto udp from $local_ip to $remote_ip port 1701 \
         main auth "hmac-sha" enc "aes" group modp2048 \
         quick auth "hmac-sha" enc "aes" \
         psk "xxxxxxxxx"

now when both endpoints run start isakmpd and run ipsecctl we see the flows
being created.
the same kinds of flows get created for the other windows and linux clients.

server /etc/npppd/npppd.conf:
authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP_ipv4 protocol l2tp {
        listen on 0.0.0.0
        l2tp-accept-dialin yes
        authentication-method mschapv2
        pipex yes
}

ipcp IPCP {
        pool-address 10.0.10.2-10.0.10.254
        dns-servers 8.8.8.8
}

# use tun(4) interface.  multiple ppp sessions concentrate one interface.
interface tun0  address 10.0.10.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0

obsd client's /etc/xl2tpd/xl2tpd.conf:
[global]
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lac foo]
lns = A.B.C.D
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
autodial=yes

obsd client's /etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
name xxxxx
password xxxxx

the problem is that as we see from the logs the obsd client refuses
to cope with mschap-v2 and various options from that last file.
if we remove all the offending options we end up with "no authentication
protocols are agreeable" on npppd logs.... ideas? suggestions for other
approaches??

Help me misc@openbsd.org, you're my only hope... ;)
thanks guys.

Reply via email to